A web application firewall (WAF) is a security service that sits between your web application and your user. WAFs are designed to detect and block common web application attacks before they ever make it to your site. Often, WAFs can even block exploits that we don’t know about yet! In this article, we’ll talk about the different kinds of WAFs and give you some options for implementing them.
Adding a WAF is fairly straightforward, but it helps to know where the WAF fits in with your application and your network. There are three general ways to implement a WAF, and each method has its pros and cons.
Server-based Software WAF (Method 1)
In this method, WAF software is installed on your application server. When a user makes a request to your application server, the request first gets filtered by the WAF, then is passed on to the application. While this is one of the easiest configurations, it also permits bad traffic to enter the network AND your application server before being filtered.
3rd Party Platform WAF (Method 2)
In this method, all traffic is routed through a 3rd party WAF. When the user connects to your site, they are unknowingly connecting to another secure network where their traffic is filtered first. Then, good traffic passes on to your network and your web application. This requires a trust relationship between you and your WAF provider but is often the most robust and secure method for WAF deployment.
Local Appliance (Method 3)
For more complicated infrastructure – or for those organizations with special requirements – a local appliance can be used to perform WAF functions separate from the web application. In this case, traffic is first routed to another server on your network which performs WAF functionality, then it is sent to your web application. These are often costly enterprise solutions, but also typically perform a lot of other networking functionality (e.g. load balancing).
Whatever solution you choose, ensure that traffic cannot go around your WAF and directly to the IP of your server. See your WAF vendor for details on how to make sure you have configured this properly.
As with any security product, be sure to test your website! A WAF will block bad traffic, but sometimes even good traffic can look bad. This process is referred to as “tuning” your WAF and is critical to ensuring that your WAF doesn’t block legitimate traffic.
The solutions most often recommended for our clients is Method 2 - 3rd Party Platform WAF. These solutions are easy to configure and integrate into your environment, and often come with quite a few ancillary benefits, such as anti-DDoS protection and continual updates. We typically recommend Cloudflare for DDoS and WAF, however, Sucuri is also a good solution for many.
For more information on this topic please reach out to us; we’re here to help!